In November 2021, Elizabeth Denham who was then the UK’s Information Commissioner announced a provisional intent to impose a potential fine of over £17 million on Clearview AI Inc, an AI business that uses facial recognition technology to provide a database of online images to its customers. The fine related to numerous breaches of the UK’s data protection laws including failures in transparency, fair processing and data retention.

On 23 May 2022, following further assessment, the UK’s new Information Commissioner, John Edwards, has instead issued a much smaller fine of £7,552,800, along with an enforcement notice ordering the company to stop obtaining and using UK resident data from public sources, and to delete any UK resident data it currently holds.

In issuing its enforcement the Information Commissioner’s Office (ICO) joins a list of regulators in the EU that have also taken action against Clearview: In December 2021 the CNIL in France ordered Clearview to delete all data relating to French citizens; and in February of this year, the Garante in Italy imposed a €20 million fine, along with an instruction to delete and to stop any further use of Italian citizen’s data by the company.

With the UK no longer part of the EU, this action by the ICO against a US entity with no operations in the UK raises interesting issues of legality and enforcement in relation to online data scraping practices affecting UK citizens, as well as in relation to the international application and enforceability of UK data protection laws, which have been separate to European actions following the withdrawal of the UK from the EU in 2020. 

What is the basis for the fine?

So what exactly is it that Clearview is doing with personal data that has caught the attention of regulators? The ICO’s statement claims that despite the fact that Clearview no longer offers its services in the UK, Clearview has collected and continues to collect images from people in the UK from their social media platforms and other websites. These images are added to and stored on Clearview’s database. Clearview’s platform allows its customers to identify individuals using facial recognition software to search their database of over 20 billion images. It is the ICO’s position that Clearview both identifies and ‘effectively monitors the behaviour’ of the individuals whose data is stored in the Clearview, and this data is then monetized.

The key issues with this that the ICO raised from a UK data protection perspective are:

  • UK citizens were not aware and would not expect their data to be scraped from the internet and then used in this way by Clearview, and therefore Clearview has failed in its fairness and transparency obligations under UK data protection law.
  • There was no legal reason for Clearview to collect data from UK citizens for these purposes.
  • Facial recognition data, as biometric and therefore ‘special category’ data, is subject to higher standards of data protection in the UK, which have not been met.
  • No process was in place to prevent the data being stored indefinitely by Clearview, therefore failing to meet its obligations relating to data retention practices.
  • Clearview asked for additional personal information, including photos, when contacted by individuals to ask if they were part of the database. This could be seen as a disincentive to individuals to exercise their right to object to their data being collected, or to request that the data be deleted.

Is it enforceable?

The investigation into Clearview was a joint investigation by the ICO and the Office of the Australian Information Commissioner and conducted under the Global Privacy Assembly’s Cross Border Enforcement Cooperation Agreement.

Clearview has stated that it operates ‘legitimately’ in Australia, but has stated that the company has no establishment in the UK and that it currently does not do business in the UK. When defending its position in Italy, Clearview argued that it is not subject to the GDPR as it does not have a place of business in Italy or the EU, nor undertake any other activities that would otherwise mean it is subject to the GDPR. It seems likely that Clearview will use this line of argument again in relation to the UK’s jurisdiction to administer a fine against it, despite the claims that the company is effectively monitoring the behaviour of individuals in the UK through its data scraping practices.  If it fails in this argument, the fact that it has no establishment or operations in the UK may make enforcement difficult for the ICO.

This fine, along with the others given to Clearview, provide an indication of what is and is not acceptable to with regard to expectations of privacy in a digital world where more and more elements of individuals’ daily lives are shared on the internet.

The focus on transparency and fairness seems to have been a key driver here – if an individual wouldn’t expect their data to be used in the way a company is using it, it is unlikely to be deemed acceptable by many regulators. It is easy to see how people in the UK wouldn’t imagine that their facial images would be being harvested for use in an US online database when they are happily uploading their holiday pictures to their social media feed.

It will remain to be seen how Clearview will respond to the ICO’s fine and the request to cease processing and delete any UK residents’ data, if at all, and how the ICO will react to any challenges to its enforcement.

Finally, as happened in the BA and Marriott cases, yet again the ICO’s potential fine was far greater that than issued. In this case a reduction of over 60% was applied. So, are the ICO’s intentions to fine the regulator bearing its teeth (but with a bark that is worse that its bite)? Or is it still struggling to assess quantum in these cases? Or are we seeing a change in enforcement strategy with the new Information Commissioner taking the reigns? Only time, and a few more notice of intention to fine, will tell. As for the moment, on this issue there is anything but a clear view.